Silent Wolves in the Network: Rare Werewolf Uses Fake Invoices and AnyDesk to Infiltrate Russian Aerospace Systems + Video

Listen to this Post

Featured ImageIntroduction: A New Era of Stealth Cyber Espionage

Cyberattacks against aerospace and aviation organizations are becoming increasingly sophisticated as threat actors move away from traditional malware campaigns and adopt quieter methods designed to avoid detection. Instead of deploying obvious malicious programs, modern attackers are increasingly abusing legitimate tools, trusted applications, and normal administrative workflows to maintain hidden access for months or even years.

A recent spear-phishing campaign uncovered by the Seqrite Threat Research Team highlights this dangerous evolution. The operation targeted Russian aerospace and aviation-related networks by disguising malicious emails as legitimate business communications from a government-linked research organization. Behind the carefully crafted deception was a suspected operation linked to the Rare Werewolf threat group, also known as Librarian Ghouls.

Rather than relying on custom-built malware, the attackers used a living-off-the-land strategy, abusing legitimate remote management software such as AnyDesk to create persistent access channels. This approach demonstrates how cybercriminal and espionage groups are increasingly focusing on stealth, patience, and operational security instead of noisy attacks.

Original Summary: Fake Invoices Become the Gateway Into Aerospace Networks

Spear-Phishing Campaign Targets Russian Aviation Sector

The attack begins with a highly targeted spear-phishing email designed to appear as an official financial communication from the Federal Budgetary Institution “VNIIR.” The attackers created a fake domain resembling the legitimate organization and used it to send convincing emails containing references to invoices, payments, and supply agreements.

The attackers attempted to increase credibility by including official-looking branding, including the logo of the Russian Ministry of Industry and Trade. By creating an appearance of authenticity, the attackers increased the likelihood that employees would trust the message and open the attached files.

Although the campaign appeared targeted, researchers discovered signs of broader distribution. The attackers used an undisclosed recipient field, hiding the list of targets and suggesting the same phishing message may have been sent to multiple individuals within related organizations.

Password-Protected Archives Bypass Security Detection

The malicious emails contained password-protected RAR archives. The password was conveniently included in the email body, allowing the recipient to easily extract the files.

This technique serves a specific purpose: many automated email security systems struggle to inspect encrypted archives because they cannot analyze their contents without the password.

Inside the archive was an executable file created using Smart Install Maker. When launched by the victim, the program displayed a harmless-looking PDF document to create the illusion that nothing suspicious had occurred.

However, behind the scenes, the executable was performing a series of malicious operations.

Living-Off-The-Land Strategy Helps Attackers Stay Hidden

Instead of installing recognizable malware, the attackers relied on legitimate tools and built-in system functions. This approach is becoming increasingly common because security products often trust legitimate applications.

The dropper created temporary files, converted them into batch scripts, and used command-line operations to continue the infection process.

One script connected to an attacker-controlled server and downloaded another compressed archive containing additional tools.

The downloaded toolkit avoided traditional malware signatures and consisted primarily of legitimate utilities. This allowed the attackers to operate under the radar while blending their activities with normal administrative behavior.

Deep Analysis: How the Rare Werewolf Campaign Works

Attack Chain Breakdown Commands

Spear-Phishing Email
|
↓

Fake VNIIR Invoice Communication

|

Password-Protected RAR Archive

|

Victim Opens Malicious Executable

|

Smart Install Maker Dropper Executes

|

Decoy PDF Displayed

|

Temporary Files Created

|

Batch Scripts Generated

|

Secondary Archive Downloaded

|

Legitimate Tools Installed

|

AnyDesk Remote Access Enabled

|

Persistent Unauthorized Control

MITRE ATT&CK Technique Analysis

Attack Stage Technique MITRE ID

Initial Access Spearphishing Attachment T1566.001

Execution User Execution: Malicious File T1204.002

Persistence Remote Access Software T1219

Defense Evasion Masquerading T1036

Command and Control Application Layer Protocols T1071

AnyDesk Abuse Creates Long-Term Access

The final objective of the campaign is the deployment and configuration of AnyDesk for unattended remote access.

The attackers modify AnyDesk settings, including adding passwords, allowing them to reconnect whenever necessary without requiring user interaction.

This creates a powerful persistence mechanism because AnyDesk is a widely trusted remote management application used by businesses worldwide.

Security teams often face difficulty distinguishing between legitimate IT activity and malicious remote access when attackers abuse commonly used software.

Why This Campaign Is Dangerous

The Rare Werewolf operation represents a major shift in cyberattack methods.

Traditional malware infections often leave recognizable fingerprints. Security researchers can analyze malicious binaries, identify command-and-control infrastructure, and create detection rules.

However, living-off-the-land attacks remove many of these indicators.

The attackers use:

Legitimate software

Valid digital signatures

Normal administrative functions

Encrypted archives

Social engineering techniques

This combination allows them to remain invisible for longer periods.

What Undercode Say:

The Rare Werewolf campaign demonstrates one of the biggest challenges facing modern cybersecurity: attackers no longer need advanced malware to cause serious damage.

The weakest point remains human trust.

A simple invoice email can become the entry point into highly sensitive aerospace networks.

The use of fake government-related identities shows how threat actors are improving psychological manipulation.

Attackers understand that employees are more likely to trust documents related to payments, contracts, and official institutions.

The decision to avoid custom malware is also strategically important.

Many organizations continue investing heavily in malware detection technologies, but attackers are adapting by using tools already present inside corporate environments.

The abuse of AnyDesk highlights a growing security problem.

Remote access software was created to improve productivity, but attackers have transformed it into a weapon for persistence.

This campaign also demonstrates the importance of monitoring legitimate applications.

A company cannot simply block every remote access tool because many departments depend on them.

Instead, organizations need behavioral monitoring.

Security teams should ask:

Who installed the software?

When was it installed?

Was remote access expected?

Is the connection coming from an unusual location?

Are administrative privileges being abused?

The campaign also exposes weaknesses in email security strategies.

Password-protected archives remain an effective technique because many automated systems cannot inspect encrypted files.

Organizations should consider advanced email filtering solutions capable of analyzing suspicious attachments through sandboxing and behavioral inspection.

The aerospace sector is especially attractive to threat actors because information from these organizations can provide strategic, economic, and military advantages.

Cyber espionage groups do not always need to destroy systems.

Sometimes their objective is simply maintaining silent access and collecting information over time.

Rare Werewolf’s approach reflects the future direction of cyber operations.

The next generation of attacks will likely focus less on malware creation and more on identity abuse, trusted applications, and human manipulation.

Security teams must shift from signature-based detection toward intelligence-driven defense.

The question is no longer only:

What malicious files are inside our network?

The more important question is:

“What legitimate activities are being abused by attackers?”

Organizations that fail to answer this question may allow attackers to hide in plain sight.

✅ Confirmed: Seqrite researchers identified a spear-phishing campaign targeting Russian aerospace and aviation-related entities using fake VNIIR-themed communications and AnyDesk deployment techniques.

✅ Confirmed: The campaign demonstrates living-off-the-land behavior by abusing legitimate software instead of relying mainly on custom malware.

❌ Unconfirmed: Public evidence does not fully prove the identity of the attackers, although technical similarities suggest links to the Rare Werewolf/Librarian Ghouls group.

Prediction

(+1) Cybersecurity teams will increasingly prioritize monitoring legitimate remote administration tools such as AnyDesk, TeamViewer, and similar platforms because threat actors will continue abusing them for persistence.

(+1) Artificial intelligence-based security systems will become more important in detecting unusual behavior patterns instead of depending only on malware signatures.

(+1) Aerospace and government-connected organizations will increase investment in employee phishing awareness training as social engineering remains one of the most effective attack methods.

(-1) Traditional antivirus solutions alone will become less effective against advanced campaigns because attackers are moving toward legitimate tools and identity-based attacks.

(-1) More threat groups are expected to adopt encrypted archives, fake business documents, and trusted applications to bypass automated defenses.

(+1) Organizations that combine email security, endpoint monitoring, and behavioral analytics will have a stronger ability to detect silent intrusions before attackers achieve long-term control.

▶️ Related Video (74% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube